New Nmap

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at a new version of Nmap, problems in jailed processes under FreeBSD, and other problems in Adobe Acrobat Reader, the GNU Coreutils dir command, xboing, Apple Filing Protocol, libxml2, GNU Anubis, Sun's passwd command, and Safari.

Jailed Processes in FreeBSD

The jail set of system calls are used to restrict a process and all its descendants in a virtual "jail" that restricts access to the real system even for root-owned processes. A bug in the jail_attach() function call of FreeBSD can be exploited by a local attacker to escape the jail and gain full read and write access to the root directory of another process in a different jail.

It is recommended that all users of FreeBSD upgrade their systems to the FreeBSD 5.2.1-RELEASE, or the RELENG_5_2 or RELENG_5_1 security branches after the correction date. A patch to repair this problem has also been released, and can be obtained from ftp.freebsd.org. A PGP signature that can be used to verify the authenticity of the patch can also be obtained from ftp.freebsd.org.

Adobe Acrobat Reader

The Adobe Acrobat Reader, a viewer that renders PDF documents, is vulnerable to a buffer overflow when it is used to read an XFDF file. An attacker can carefully create a XFDF file that, when read by the victim, will overflow the Adobe Acrobat Reader and may cause arbitrary code to be executed with the victim's permissions.

The currently available Adobe Acrobat reader is reported to not be vulnerable to this problem. Affected users are encouraged to upgrade as soon as possible.

Linux/Unix System Administration Certification-- Would you like to polish your system
administration skills online and receive credit from the University of Illinois? Learn how to administer Linux/Unix systems and gain real experience with a root access account. The four-course series covers the Unix file system, networking, Unix services, and scripting.
It's all at the O'Reilly Learning Lab.

GNU Coreutils dir Command

The dir command in some versions of the GNU Coreutils package has a bug in the -w command-line parameter that can be used in a local denial-of-service attack. This bug is identical to the bug that was reported last year in the ls command, and seems to have been repaired at the same time.

Affected users who have not already upgraded due to the bug in the ls command should upgrade to the latest GNU Coreutils package or upgrade to a repaired package from their vendors.

xboing

The X Window System game xboing is reported to be vulnerable to several buffer overflows that on many systems could gain the attacker games-group permissions when exploited. A simple exploit has been released to the public.

Repaired versions of xboing have been released for Debian GNU/Linux. Affected users should watch their vendors and upgrade as soon as possible. It is suggested that any set user id bits or set group id bits be removed from xboing and any other installed games, when possible.

Apple Filing Protocol (AFP)

Apple Filing Protocol is a network file system. It does not use any encryption for the transfer of files, and under some conditions is vulnerable to a man-in-the-middle attack that can be used to collect passwords. There is a facility to tunnel AFP through SSH, but it has been reported that in versions OS X 10.3 prior to 10.3.2, this does not work, and even if SSH is being used, it is still vulnerable to a man-in-the-middle attack due to its implementation.

One possible workaround for this vulnerability is to use a manually set up SSH tunnel. Another possibility is to replace AFP with a secure method such as SFTP until Apple has solved these problems.

New Version of Nmap

Nmap (Network Mapper) is an open source utility for scanning a network or conducting security audits. Nmap version 3.50 has been released. Notable enhancements include an advanced service/version detection system, a dramatic improvement in the OS detection database, full support for Mac OS X, a new look and other enhancements for the NmapFE Unix GUI, UDP-based ping scanning, IPv6 is now supported for many of the most important scan types, and a new --packet_trace option, which makes Nmap display the packets it sends and receives in a format similar to tcpdump. In addition, there was this announcement: "... and in accordance with section 4 of the GPL, we terminated SCO's rights to redistribute any versions of Nmap in any of their products, ... We have also stopped supporting the OpenServer and UNIXWare platforms."

libxml2

Versions of the libxml2 library (used to manipulate XML files) before version 2.6.6 are vulnerable to a buffer overflow when retrieving a resource using FTP or HTTP. Under some conditions, a remote attacker may (by exploiting this vulnerability in an application linked to libxml2) execute arbitrary code with the permissions under which the application is running.

It is recommended that users upgrade the libxml library to version 2.6.6 or newer as soon as possible.

Sun passwd Command

Sun's passwd command distributed with Solaris 8 and 9 (both x86 and Sparc versions) contains a bug that can be exploited by a local attacker to gain root access. The following versions are vulnerable: Solaris 8 with patch 108993-14 through 108993-31 and without patch 108993-32, and Solaris 9 without patch 113476-11.

Affected users should apply the appropriate patch as soon as possible.

GNU Anubis

GNU Anubis, an outgoing mail processor, is reported to be vulnerable to two buffer overflows and three format string bugs that may, under some conditions, be exploited by a remote attacker to gain root privileges.

Patches are available for versions 3.6.2 and 3.9.93 of GNU Anubis. Users should apply them or upgrade to a repaired version as soon as possible.

Safari

The Mac OS X Safari web browser will crash if a JavaScript array above a certain size is called. It is not clear if it is possible to exploit this problem in any other way than in a denial-of-service attack.

Users should watch Apple for a repaired version of the Safari web browser.